2016-03-21 50 views
0

此代码不会更改登录用户的密码,而会更改为0,然后不允许我重新登录。我了解md5不是最安全的,因为这不会仅仅是一个项目的活跃网站。不过,我接受有关替代方案的建议。我在db中有两个名为password和password2的字段,它们在更改密码后都需要更改。此外,错误消息不显示。数据库中的密码字段更改为0

<?php 
    session_start(); 
    if (!isset($_SESSION["user_login"])) { 
     header("Location: sign_up.php"); 
    } else { 
      $username = $_SESSION["user_login"]; 
    } 

    include ("connect.php"); 


    ?> 

    <?php 

    //Variables 

    if(isset($_POST['change_pass_submit'])){ 

    $oldpassword = $_POST['oldpassword']; 
    $newpassword1 = $_POST['newpassword1']; 
    $newpassword2 = $_POST['newpassword2']; 




     $pass_query = mysqli_query ($connect, "SELECT * FROM users WHERE email='$username'"); 
     while ($row = mysqli_fetch_assoc($pass_query)) { 

      $existing_pass = $row ['password']; 


      //Checking if md5 encrypted password matches 
      $md5_oldpassword = md5($oldpassword); 
      //check if the old password and the old password entered now match 
      if ($md5_oldpassword == $existing_pass){ 
       //check if the two new passwords match 
       if ($newpassword1 == $newpassword2) { 

        $md5_newpassword = md5($newpassword1); 
        $md5_newpassword2 = md5($newpassword2); 
        //Query to update the password 
        $password_update_query = mysqli_query($connect, "UPDATE users SET password='$md5_newpassword' AND password2='$md5_newpassword2' WHERE email='$username'"); 

        echo "Your password has now changed!"; 

        } 
        else{ 

         echo "Your new password and re entered password does not match. Please try again."; 
         } 
       } 
       else { 
        echo "Your old password does not match. Please try again."; 
        } 
      } 

     } 


    ?> 
    <div class="container"> 
    <h3> Change your Password: </h3> 
    <form action="" method="POST" enctype="multipart/form-data"> 
     <div class="form-group"> 
      <label for="oldpassword">Old Password:</label> 
      <input type="oldpassword" class="form-control" name="oldpassword" placeholder="Enter old password" > 
     </div> 
     <div class="form-group"> 
      <label for="newpassword1">New Password:</label> 
      <input type="newpassword1" class="form-control" name="newpassword1" placeholder="Enter new password" > 
     </div> 
     <div class="form-group"> 
      <label for="newpassword2">New Password:</label> 
      <input type="newpassword2" class="form-control" name="newpassword2" placeholder="Re-Enter new password" > 
     </div> 
     <center> 
     <button type="submit" class="btn btn-primary" name="change_pass_submit" style=" background-color:#337AB7; color:white;">Change Password</button> 
     </center> 

    </form> 
    </div> 
+0

出于好奇,为什么你在表中存储相同的值*两次? – David

+0

...为什么MD5?你有没有多次看过*“回到未来”? –

+0

@David在用户注册时进行验证。 –

回答

2

您在查询中有一个错误:

"UPDATE users SET password='$md5_newpassword' AND password2='$md5_newpassword2' WHERE email='$username'" 

它应该是:

"UPDATE users SET password='$md5_newpassword', password2='$md5_newpassword2' WHERE email='$username'" 


但是,在查询中错误的是的大问题在这里。最大的问题是,你的代码是极不安全

  1. 它很容易受到sql injection
    恶意打算能做什么他们喜欢与您的数据库。您应该开始使用prepared statements(在PHP中查看PDO)。
  2. 您的密码没有正确散列!
    使用PHP的构建中的功能:password_hashpassword_verify代替md5(该md5散列算法是古老与它的几个问题已被确定为密码散列,问题是,它的设计是快速快意味着它。 easy to crack。快速意味着专门的硬件可以做到350 billion guesses per second)。
相关问题